Data Processing Agreement

Last updated: 12 July 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between the customer ("Controller", "you") and OSHOOT AG, Industriestrasse 19, 8112 Otelfingen, Switzerland ("Processor", "we"), operator of Momo (the "Service"). It governs our processing of personal data on your behalf and reflects the requirements of the EU General Data Protection Regulation (GDPR, Art. 28) and the revised Swiss Federal Act on Data Protection (revFADP, Art. 9).

1. Roles & scope

You are the Controller of the personal data you and your users enter into the Service; we act as your Processor. We process personal data only to provide the Service and only on your documented instructions, including those set out in this DPA and the Terms.

2. Subject matter, nature & purpose

Subject matter and duration: the provision of the Service for as long as your account is active. Nature and purpose: hosting, storing and processing personal data so your organization can track time, manage absences and balances, handle expenses, and run reports. Details are in Annex 1.

3. Our obligations

  • Process personal data only on your documented instructions, including for international transfers, unless required by law (in which case we inform you, where legally permitted).
  • Ensure persons authorized to process the data are bound by confidentiality.
  • Implement appropriate technical and organizational measures (Art. 32 GDPR) — see Annex 2.
  • Assist you, taking into account the nature of processing, in responding to data-subject requests and in meeting your security, breach-notification and DPIA obligations.
  • At the end of the Service, delete or return all personal data, and delete existing copies, unless retention is required by law.
  • Make available information necessary to demonstrate compliance and allow for and contribute to audits (see clause 7).

4. Sub-processors

You give general authorization for us to engage the sub-processors listed in Annex 3. We impose data-protection obligations on each sub-processor equivalent to those in this DPA and remain liable for their performance. We will inform you of intended changes (additions/replacements) and give you a reasonable opportunity to object on reasonable data-protection grounds.

5. Personal data breach

We will notify you without undue delay after becoming aware of a personal data breach affecting your data, with the information you reasonably need to meet your own notification duties.

6. International transfers

Your data is hosted in the European Union (Frankfurt, Germany). Where any processing by us or a sub-processor would involve a transfer outside the EEA or Switzerland, it is carried out under an adequacy decision or appropriate safeguards (e.g. EU Standard Contractual Clauses with the Swiss addendum).

7. Audits

On reasonable prior notice and no more than once per year (unless required by a supervisory authority), we will provide information reasonably necessary to demonstrate compliance with this DPA, including relevant third-party reports where available.

8. Liability & governing law

Liability is governed by the Terms of Service. This DPA is governed by Swiss law. If there is a conflict between this DPA and the Terms regarding data protection, this DPA prevails.


Annex 1 — Details of processing

  • Categories of data subjects: the Controller's team members/employees and any individuals referenced in entries (e.g. project contacts).
  • Categories of personal data: name, email, role, language; time entries, projects, absences and balances; expenses and notes; authentication data.
  • Special categories: none intended. Do not enter special-category data (e.g. health) beyond what absence types inherently imply.
  • Frequency: continuous, for the duration of the Service.

Annex 2 — Technical & organizational measures

  • Encryption in transit (TLS/HTTPS) for all connections.
  • EU-region hosting (Frankfurt); access to production restricted to authorized personnel.
  • Authentication with hashed passwords; role-based access within each organization; tenant isolation.
  • Managed database with automated backups; logging and monitoring.
  • Use of vetted sub-processors under data-processing agreements.
  • Data-subject self-service export and account deletion.

Annex 3 — Sub-processors

Sub-processor Purpose Location
DigitalOceanHosting & storageEU (Frankfurt)
StripeSubscription paymentsEU / global
ResendTransactional emailEU / global

Questions about this DPA: privacy@momotime.app